========================================================================
Applies To:
WLS - 10.3.6
OSB - 11.1.1.7
========================================================================
Problem:
Services which are having HTTPS/SSL endpoints aren't working properly.
Error:
<<Mar 29, 2016 3:48:10 PM CDT> <Warning> <Security> <puru-host> <poc_osb_admin> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <ecba9489e228dd77:-11ecd046:1535560a37c:-7ffd-000000000000fe95> <1459284490478> <BEA-090482> <BAD_CERTIFICATE alert was received from XX.XX.XXX.XXX - XX.XX.XXX.XXX. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
Reason:
java.lang.RuntimeException: Cannot convert identity certificate
========================================================================
Cause:
Recently target system renewed their certificates and new certificates installed on downstream side which has SHA256RSA signature algorithm and old certificates were having SHA1RSA which was working fine.
Weblogic is having default SSL implementation(CERTICOM)
========================================================================
Resolution:
We need to enforce weblogic server to use JSSE if any cipher suite is unsupported by default SSL implementation(CERTICOM).
To change SSL implementation from CERTICOM to JSSE and resolve issue kindly follow below steps,
1. Navigate Environment -> servers -> [server name] -> Configuration -> SSL -> Advanced tab -> Enable Use JSSE SSL
2. Also we need to import new root and intermediate certificates from renewed cert if they aren't existed in CACERT
Login to each domain host and perform below,
cd $JAVA_HOME/jre/bin
To list CACERTS, use below command,
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
To import cert, kindly use,
./keytool -import -alias alias_name -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -file $Cert_location/cert.pem
3. Restart servers for changes to take effect and test the service.
Applies To:
WLS - 10.3.6
OSB - 11.1.1.7
========================================================================
Problem:
Services which are having HTTPS/SSL endpoints aren't working properly.
Error:
<<Mar 29, 2016 3:48:10 PM CDT> <Warning> <Security> <puru-host> <poc_osb_admin> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <ecba9489e228dd77:-11ecd046:1535560a37c:-7ffd-000000000000fe95> <1459284490478> <BEA-090482> <BAD_CERTIFICATE alert was received from XX.XX.XXX.XXX - XX.XX.XXX.XXX. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
Reason:
java.lang.RuntimeException: Cannot convert identity certificate
========================================================================
Cause:
Recently target system renewed their certificates and new certificates installed on downstream side which has SHA256RSA signature algorithm and old certificates were having SHA1RSA which was working fine.
Weblogic is having default SSL implementation(CERTICOM)
========================================================================
Resolution:
We need to enforce weblogic server to use JSSE if any cipher suite is unsupported by default SSL implementation(CERTICOM).
To change SSL implementation from CERTICOM to JSSE and resolve issue kindly follow below steps,
1. Navigate Environment -> servers -> [server name] -> Configuration -> SSL -> Advanced tab -> Enable Use JSSE SSL
2. Also we need to import new root and intermediate certificates from renewed cert if they aren't existed in CACERT
Login to each domain host and perform below,
cd $JAVA_HOME/jre/bin
To list CACERTS, use below command,
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
To import cert, kindly use,
./keytool -import -alias alias_name -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -file $Cert_location/cert.pem
3. Restart servers for changes to take effect and test the service.
No comments:
Post a Comment